Objective
The objective of this policy is to insure that the appropriate safeguards and controls are put into place to protect the confidentiality, integrity, and availability of the University’s information assets in direct support of the University's strategic mission and goals.

Background Information
Information is integral to the operations of the University at Albany. The core services of teaching, learning, and research cannot be realized without robust, reliable, and secure information and information technology infrastructures.

Academic inquiry is dependent on the integrity of information (in transit and at rest), and the trustworthiness of its source.

In order to preserve the trust and confidence of its faculty, students, alumni, and parents, as well as professional, support, and research staff, the University must effectively manage and safeguard the information vital to its operations and the activities of the campus community.

Policy Statement
It is the policy of the University to comply with legal and regulatory requirements governing the collection, retention, dissemination, protection, and destruction of sensitive information.

This requires the University to maintain a vigorous and comprehensive Information Security Program designed to satisfy its statutory obligations, enable and assure core services, and fully support academic inquiry. 

The Information Security program will include the administrative, technical and physical safeguards appropriate to the size and complexity of the University and the sensitivity of its information. The program will be based on established risk management practices applied to those areas identified in the companion document, “Security Domains Standards.”

Each member of the University community shares a measure of responsibility for the implementation of this program.

Scope
This is a University-wide policy and includes those entities and affiliates that rely on the University’s IT infrastructure or data for their operations.

Roles and Responsibilities
Oversight
The Office of the Chief Information Officer (OCIO) is primarily responsible for assuring an effective Information Security program.

Responsibility for developing, deploying, and managing the Information Security Program lies with  the Information Security Officer (ISO) who will work in conjunction with the Internal Control Officer, the Office of University Counsel, and Internal Audit.

Governance
The ISO will work with the relevant stakeholders to formulate specific policies, guidelines, standards, and procedures in support of various risk management strategies. The OCIO may further establish advisory or working groups to assist in implementing this policy.

Operations
Campus information technology service providers are primarily responsible for the implementation of operational controls.  Members of the University community at-large are responsible for implementing and adhering to relevant standards, procedures, and guidelines.

Compliance
The OCIO is primarily responsible for enforcement. This responsibility may be delegated.

Vice Presidents are responsible for the compliance of their divisions with this policy, related policies, and their applicable standards, guidelines and procedures.

Compliance is determined via periodic audits, scans, and reviews and is measured against published policies, procedures, and standards. The frequency and nature of these reviews are based on the risk and criticality of the resource, major changes, or new State or Federal regulations.

Instances of non-compliance will be addressed on a case-by-case basis. All cases will be documented and written notifications sent to responsible parties. These notices will include recommendations for corrective action. A reasonable period of time, depending on the level of exposure and criticality of the resource, will be stipulated for implementing corrective action. Follow up review(s) will determine the subsequent degree of compliance. Failure to meet compliance requirements may result in sanctions.

Nothing in this section will be construed as an impediment to responding to a security breach incident.

Review
This policy will be reviewed no less than once every five years. Standards, guidelines and procedures will be reviewed no less than every two years to determine the topicality of the campus’s top level security domains.

Related Documents
SUNY Information Security Guidelines, Part 1: Campus Programs & Preserving Confidentiality, Document #6608
Federal Educational Rights and Privacy Act
Health Insurance Portability and Accountability Act
Gramm Leach Bliley Act
NYS Information Security Breach & Notification Law
NYS Business Law and Technology Law
NYS Governmental Accountability, Audit & Internal Control Act
NYS Information Security Policy P03-003
Other State and Federal regulations governing the acquisition, retention, and dissemination of protected data
SUNY system-wide information security policies and requirements
SUNY Policies of the Board of Trustees
Community Rights & Responsibilities
Other University IT and Information policies

University at Albany
Security Domains Standards

These standards identify the primary security domains used by the University to meet the Information Security Policy and Program objectives.

Asset Classification—An enterprise-wide program designed to identify critical information and physical assets and develop a comprehensive approach to their protection and management.

Risk Assessment and Analysis—Management processes conducted on a periodic basis to identify, report, and analyze reasonably foreseeable internal and external risks and vulnerabilities, likely threats, impacts, and potential losses using standard risk assessment methodologies for the purpose of recommending appropriate controls to mitigate unacceptable levels of exposure.

Identity Management—A comprehensive and unified approach to managing the identities of persons and processes issued by the University for the purpose of granting and controlling access to campus information resources. This includes exercising due care in the areas of identity assurance, issuance, authentication, authorization, revocation, and recovery of identity elements (NetIDs, tokens, etc.).

Access Control—Policies and procedures governed by the principle of “least privilege” and employing industry-accepted access control and authorization frameworks to ensure that external and internal computer applications and persons have only such access as is appropriate to information resources, and to facilities and devices containing and displaying information. 

Infrastructure Management—Standards and procedures to create and maintain prioritized, reasonable, and appropriate safeguards and controls for the University’s information infrastructure (databases, storage media, workstations, PDAs, servers, network devices, wireless access points, firewalls, etc.), along with measures to insure compliance.

Software Assurance—Consists of appropriate reviews and controls used to validate the performance and security of software before it is purchased or developed and put into production.

Incident Detection and Management—Establish procedures and assign responsibilities for detecting, reporting and responding to suspected and known information security incidents and occurrences that breach or damage systems that contain sensitive information.

Information Security Awareness Program—The Awareness Program promotes and promulgates best practices at all levels (including management), and informs and safeguards University staff.

Oversight of Service Providers—Take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for sensitive information and require service providers by contract to implement and maintain such safeguards.

Documentation—Maintain, make appropriately available, and periodically review information security policies and procedures in written (which may be electronic) form; and keep written records of any action, activity or assessment that requires documentation.